includes two firsts for the FTC:
- First FTC settlement that requires a company to implement a comprehensive privacy program
- First FTC settlement involving alleged violations of the U.S.-EU Safe Harbor Framework privacy requirements
The FTC Complaint
Also, the FTC alleged that the practices were deceptive as they did not adequately disclose that certain private information identifying who the Gmail user emailed most frequently would be made public, and that certain user privacy settings in Gmail were not carried over to the privacy settings in Google Buzz. Further, the FTC alleged that these practices violated the US Safe Harbor Privacy Principles of Notice and Choice, as Gmail users were not given adequate notice that information collected in Gmail would be used for a new purpose, and were not given adequate choice about whether they agreed to such new use.
Terms of the Proposed Settlement
The proposed settlement, which is subject to public comment through May 2, 2011, imposes robust requirements on Google, including the following:
- Before sharing user information with a third party in a manner different from Google's practices in effect when the information was collected, and which results from a change, addition, or enhancement to its products or services, Google must:
- Obtain express affirmative consent to the sharing from the user.
- Google must develop, implement and maintain a written comprehensive privacy program including designated employees responsible for the program, identification of reasonably foreseeable risks and safeguards used to mitigate risks; and establishing steps to select and retain service providers.
- Google must hire a third party privacy and data security professional to conduct assessments of Google's practices every two years for the next twenty years.
Google had previously faced scrutiny from international data protection authorities that noted disappointment and concern regarding Google's privacy practices related to Google Buzz. Additionally, in October 2010, Google settled class action claims that Google Buzz violated Federal and California privacy, computer, and consumer protection laws based on the automatic creation of "follower/follow" lists. The claims were settled for $8.5 million.
What this Means for Business
This FTC action should serve as a reminder that when developing new products, businesses should evaluate whether their privacy practices are and will remain consistent with promises made in their policies and whether they provide adequate disclosures, offer clear choices and obtain meaningful consent from customers when these practices may change. With this important settlement, the FTC has signaled that it intends to raise the bar with respect to future privacy-related enforcement activity regarding the handling of consumers' personal information.
Kelley Drye & Warren LLP
Kelley Drye & Warren's Privacy and Information Security practice is a leader in advising clients on privacy and information security issues and has been at the forefront of developments in this growing area of the law. Our attorneys regularly counsel clients regarding all aspects of privacy and data security compliance, including drafting and amending privacy and information security policies, advising clients on interpreting their own policies, crafting data security programs for clients, performing privacy and/or data security audits of existing business practices, drafting agreements with third parties regarding their obligations in connection with handling clients' customer data, and representing clients in connection with federal and state regulator privacy investigations regarding their privacy and data security practices.
For more information about this advisory, contact:
Dana B. Rosenfeld
John J. Heitmann
Alysa Zeltzer Hutnik
Christopher M. Loeffler